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DETAILED ACTION 



1 . Pursuant to USC 131, claims 1 -22 are presented for examination. 

Drawings 

2. The drawings are objected to as failing to comply with 37 CFR 1 .84(p)(4) because 
reference characters "16" and "20" have both been used to designate the same element in figure 
L and figure 1 includes the following reference character(s) not mentioned in the description: 
"20, nodes". 

In figure 2, there are no arrows going to and from collector 12 on the right side of the 
drawing and from and to aggegrator 14. Therefore the drawing appears to be incomplete and not 
consistent with the specification. Figure 2 includes the following reference character(s) not 
mentioned in the description: "15a" and "15b". 

In figure 3, reference characters "32", "34", and "36" is labeled also as a storage whereas 
the specification describes a memory 32 and storage 34. Reference character 37 label "floe" has 
a spelling error and not described in the specification. 

Corrected drawing sheets in compliance with 37 CFR 1.121(d) are required in reply to 
the Office action to avoid abandonment of the application. Any amended replacement drawing 
sheet should include all of the figures appearing on the immediate prior version of the sheet, 
even if only one figure is being amended. Each drawing sheet submitted after the filing date of 
an application must be labeled in the top margin as either "Replacement Sheet" or "New Sheet" 
pursuant to 37 CFR 1.121(d). If the changes are not accepted by the examiner, the applicant will 
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be notified and informed of any required corrective action in the next Office action. The 
objection to the drawings will not be held in abeyance. 

Claim Rejections - 35 USC § 102 

3. The following is a quotation of the appropriate paragraphs of 35 U.S.C. 1 02 that form the 
basis for the rejections under this section made in this Office action: 
A person shall be entitled to a patent unless - 

(e) the invention was described in (1) an application for patent, published under section 
122(b), by another filed in the United States before the invention by the applicant for 
patent or (2) a patent granted on an application for patent by another filed in the United 
States before the invention by the applicant for patent, except that an international 
application filed under the treaty defined in section 351(a) shall have the effects for 
purposes of this subsection of an application filed in the United States only if the 
international application designated the United States and was published under Article 
21(2) of such treaty in the English language. 

Claims 8, 9, 11-13, 15, 16, and 18-21 are rejected under 35 U.S.C. 102(e) as being 
anticipated by US Patent Publication 2004/0010718 to Porras et al. 

As per claim 8, Porras et al discloses a method for detection of a new service involving 
an entity, the method comprises: Porras et al discloses monitoring network activity of an entity 
(see page 1, paragraph 1 1) that meets the recitation of entity being tracked, which includes 
analyzing event records such as port protocols (see page 3, paragraph 31) the method includes 
collecting statistical measures that includes port protocols over a period of time comprising the 
most recent data represented as short-term statistical profiles (current list) and the normal, non- 
recent, data as long-term statistical profiles (baseline list) (see page 1, paragraphs 1 1 and 15, 
page 3, paragraphs 33 and 36 and page 4, paragraph 40) that meets the recitation of retrieving a 
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baseline list of port protocols used by a entity being tracked, the baseline value determined over 
a baseline period, retrieving a current list of port protocols for the entity being tracked; and 
further discloses a comparison is made between the two wherein the difference between them 
indicates suspicious network activity or abnormal activity (see page 1, paragraphs 1 1 and 15) or 
indication of new service (see page 3, paragraphs 33 and 36 and page 4, paragraph 47) that meets 
the recitation of determining whether there is a difference in the port protocols, by having a 
protocol that was in a current list but was not in the baseline list; and if there is a difference; 
indicating a new service involving the tracked entity. 

As per claim 9, Porras et al discloses determining if the entity is providing or using the 
new service (see page 3, paragraphs 33 and 36 and page 4, paragraph 47). 

As per claim 11, Porras et al discloses retrieving a value corresponding to the alert 
severity level set for violation of the rule (see page 6, paragraph 67). 

As per claim 12, Porras et al discloses wherein the entity is at least one of a specific 
host, any host in a specific role, any host in a specific segment, or any host ((see page 1, 
paragraph 10). 

As per claim 13, Porras et al discloses wherein the extent of the comparison is 
configured to for that host, in its role, in its segment or anywhere in the network (see page 1 . 
paragraph 7). 
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As per claims 15, 16, 19, 20, and 21, these claims recite the same limitation as claims 8, 
9, 1 1, 12, and 13 respectively except for incorporating the claimed method into a computer 
program. Porras et al discloses implementing the invention into a computer readable medium 
containing instructions (see page 8, paragraph 81). Therefore, claims 15, 16, 19, 20, and 21, are 
rejected on the same rationale as the rejection of claims 8, 9, 1 1, 12, and 13. 

As per claim 18, Porras et al discloses wherein instructions to indicate further comprise 
instructions to issue an alert if the new service is detected (see page 7, paragraph 71). 



Claim Rejections - 35 USC § 103 

4. The following is a quotation of 35 U.S.C. 103(a) which forms the basis for all 

obviousness rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or 
described as set forth in section 102 of this title, if the differences between the subject 
matter sought to be patented and the prior art are such that the subject matter as a whole 
would have been obvious at the time the invention was made to a person having ordinary 
skill in the art to which said subject matter pertains. Patentability shall not be negatived 
by the manner in which the invention was made. 



Claims 10, 14, 17, and 22 are rejected under 35 U.S.C. 103(a) as being unpatentable 
over US Patent Publication 2004/0010718 to Porras et al. 



As per claim 10, Porras et al substantially discloses determining whether the activity 
exceeds a threshold value when the entity is using a new service (unknown port) and if the 
threshold exceeds and the entity is using a new service, anomaly is detected (see page 4, 
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paragraphs 47 and 48). Porras et al suggests using a countermeasure response to report the 
anomaly (see pages 6-7, paragraphs 67 and 71). Although not using the same terms as the claim 
language it is apparent to one of ordinary skill in the art of intrusion detection that a rule for 
issuing an alert may be defined as exceeding a threshold value which indicates an attack as 
disclosed Porras et al and producing a countermeasure response or reporting the attack in 
response to detecting can be reasonably interpreted as generating an alert. As known in the art, 
in an attack-response method when an attack is detected according to a specified rule, an alert is 
generated. Therefore, it would have been obvious to one of ordinary skill in the art at the time 
the invention was made to issue an alert if is determined whether a rule specifies to issue an alert 
if the entity is providing or using the new service; and if it is also determined that the entity is 
providing or using the new service so as to protect the network from more global attacks by 
taking further actions (see page 7, paragraph 68) or by alerting other entities (see page 2, 
paragraph 16) as suggested by Porras et al. 

As per claim 14, Porras et al substantially discloses measuring network connections and 
using a statistical profile to make the comparison (see page 1, paragraph 1-2) but does not 
explicitly disclose that the statistical profile is represented as a connection table. Examiner takes 
official notice that it is very well known in the art that network events can be represented in a 
form of a table and it would have been obvious to one of ordinary skill in the art at the time the 
invention was made to modify the statistical profile of measures of network connections of 
Stewart et al and implement it in a connection table so as to make it easier for reading, editing, 
and interpreting the data as known in the art. 
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As per claim 17, Porras et al substantially discloses determining whether the activity 
exceeds a threshold value when the entity is using a new service (unknown port) and if the 
threshold exceeds and the entity is using a new service, anomaly is detected (see page 4, 
paragraphs 47 and 48). Porras et al suggests using a countermeasure response to report the 
anomaly (see pages 6-7, paragraphs 67 and 71). Although not using the same terms as the claim 
language it is apparent to one of ordinary skill in the art of intrusion detection that a rule for 
issuing an alert may be defined as exceeding a threshold value which indicates an attack as 
disclosed Porras et al and producing a countermeasure response or reporting the attack in 
response to detecting can be reasonably interpreted as generating an alert. As known in the art, 
in an attack-response method when an attack is detected according to a specified rule, an alert is 
generated. Therefore, it would have been obvious to one of ordinary skill in the art at the time 
the invention was made to issue an alert if is determined whether a rule specifies to issue an alert 
if the entity is providing or using the new service so as to protect the network from more global 
attacks by taking further actions (see page 7, paragraph 68) or by alerting other entities (see page 
2, paragraph 16) as suggested by Porras et al. 

As per claim 22, Porras et al substantially discloses collecting statistical measures to 
provide the most recent data represented as short-term statistical profiles (current list) and the 
normal, non-recent, data as long-term statistical profiles (baseline list) (see page 1, paragraph 1- 
2, paragraphs 1 1 and 15, page 3, paragraphs 33 and 36 and page 4, paragraph 40), but does not 
explicitly state that the statistical measures are represented in a table. Examiner takes official 
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notice that it is very well known in the art that network events can be represented in a form of a 
table and it would have been obvious to one of ordinary skill in the art at the time the invention 
was made to modify the statistical profile of measures of network connections of Stewart et al 
and implement it in a connection table so as to make it easier for reading, editing, and 
interpreting the data as known in the art. 

5. Claims 1-7 are rejected under 35 U.S.C. 103(a) as being unpatentable over US Patent 
Publication 2004/0010718 to Porras et al in view of US Patent 7,047,288 to Cooper et al. 

As per claim 1, Porras et al substantially discloses a graphical user interface (see page 3, 
paragraph 31) for configuring a new service detection process, and discloses tracking an entity in 
the network (see page 1, paragraph 1 1) a method that allows a system to track if the selected 
entity is providing or consuming a service (such as using unknown port protocol) (see pages 4-5, 
paragraphs 40-41, 47-48); depicts a range over which to track the selected entity (see page 3, 
paragraph 35); specifying severity for an alert generated if a new service is detected (see pages 
4-5, paragraphs 41 and 47-48; and pages 6-7, paragraph 67). Porras et al does not explicitly 
disclose the details of the graphical user interface. However, it would have only required routine 
skill in the art to implement the steps above into fields in a graphical user interface to make it 
interactive. Cooper et al in an analogous art teaches generating a human readable English 
language description of a formal specification of network security policy that allows non- 
technical user within a user's organization to comprehend the policy by making the description 
simple enough to understood (see abstract). Cooper et al discloses a graphical user interface 
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(see for instance fig. 9) that includes several fields including field for specifying a host name, 
field for service being tracked (see figs. 9 and 3 1) that meets the recitation of a first field that 
depicts choices for entities to track in the network, field for specifying a range of the entity being 
tracked (see column 13, lines 25-67 and fig. 9) and field specifying a severity for an alert 
generated (see fig. 9). Therefore, it would have been obvious to one of ordinary skill in the art at 
the time the invention was made to modify Porras et al to implement the method disclosed by 
Porras et al into a graphical user interface represented by fields as disclosed in Cooper et al. 
One of ordinary skill in the art would have been recognized the advantages disclosed by Cooper 
et al who teaches generating a human readable English language description of a formal 
specification of network security policy that allows non-technical user within a user's 
organization to comprehend the policy by making the description simple enough to understood 
(see abstract). 

As per claim 2, the references as combined above disclose wherein the fields are 
linguistically tied together on the interface to form a sentence that corresponds to a rule (see 
Cooper et al, column 28, lines 10-51 and fig. 12). Claim 2 is therefore rejected on the same 
rationale as the rejection of claim 1 above. 

As per claim 3, the references as combined above disclose updating new rules in a 
database that meets the recitation of a list of new service detection rules stored in the detection 
system (see Cooper et al, column 68, lines 14-67). Claim 3 is therefore rejected on the same 
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rationale as the rejection of claim 1 above. Claim 4 is therefore rejected on the same rationale as 
the rejection of claim 1 above. 

As per claim 4, the references as combined above disclose a field that allows a user to 
specify the entity to track as a specific host, any host in a specific role, any host in a specific 
segment, or any host (see Porras et al, page 1, paragraph 10 and Cooper et al, fig. 31 and fig. 
9). 

As per claim 5, the references as combined above disclose a field that specifies details for 
the extent of the comparison for the entity specified in the first field as host, in its role, in its 
segment or anywhere in the network (see Cooper et al, figs. 9, 10C, and 31). Claim 5 is 
therefore rejected on the same rationale as the rejection of claim 1 above. 

As per claim 6, the references as combined above disclose the claimed method of claim 
1 . Porras et al also discloses wherein event severity is a numerical value (see Porras et al, page 
6, paragraph 67) and Cooper et al discloses a graphical interface for entering severity value (see 
Cooper et al, fig. 9). Claim 6 is therefore rejected on the same rationale as the rejection of claim 
1 above. 

As per claim 7, the references as combined above disclose the claimed method of claim 
1 . Cooper et al further discloses pull down menu for inputting the information in the fields (see 
fig. 31). Claim 7 is therefore rejected on the same rationale as the rejection of claim 1 above. 
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Conclusion 

6. The prior art made of record and not relied upon is considered pertinent to applicant's 
disclosure as the prior art discloses several of the claimed features such as graphical user 
interface for implementing network detection and comparing recent event detection with known 
event to determine that new service is detected. (See PTO-form 892). 

6. 1 Any inquiry concerning this communication or earlier communications from the 

examiner should be directed to Carl Colin whose telephone number is 571-272-3862. The 

examiner can normally be reached on Monday through Thursday, 8:00-6:30 PM. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's 

supervisor, Nasser G. Moazzami can be reached on 571-272-4195. The fax phone number for 

the organization where this application or proceeding is assigned is 571-273-8300. 

Information regarding the status of an application may be obtained from the Patent 
Application Information Retrieval (PAIR) system. Status information for published applications 
may be obtained from either Private PAIR or Public PAIR. Status information for unpublished 
applications is available through Private PAIR only. For more information about the PAIR 
system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR 
system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would 
like assistance from a USPTO Customer Service Representative or access to the automated 
information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. 

/Carl Colin/ 

Patent Examiner, A.U. 2136 
September 21, 2007 



